All APIs
IAM Service Account Credentials API logo

IAM Service Account Credentials API

IAM Service Account Credentials API

Upanalyticsby Google

Google Cloud IAM Credentials API issues short-lived credentials — issue temporary access tokens, ID tokens, and JWTs for service accounts.

Visit site ↗Health checked 9h ago
Use it when

Short-lived tokens limit leak impact

Watch for

Only issues for existing service accounts — does not create identities

First check

POST /v1/projects/-/serviceAccounts/{sa-email}:generateAccessToken for an access token; generateIdToken for an OIDC ID token.

Auth
CORS
No
HTTPS
Yes
Signup
?
Latency
41 ms
Protocol
REST
Pricing

Uptime · 30-day window

Probes: 1Uptime: 100%Avg latency: 41ms
01

About this API

IAM Credentials API is foundational to GCP's "zero long-lived keys" practice. The traditional approach was to create a JSON key file for a service account; apps read that file for authentication — but key leaks were major incidents. IAM Credentials lets a principal with token-creator permission (a user, another SA) issue short-lived tokens for a target SA, avoiding long-lived keys altogether. Combined with Workload Identity Federation, you can achieve "apps never hold any GCP credentials" — GKE pods, GitHub Actions runners, AWS Lambdas exchange their own platform identity for GCP short-lived tokens. Core to GCP's security best practices.

02

What you can build

  • 1Get short-lived access tokens in CI/CD without permanent keys
  • 2Token exchange for Workload Identity Federation
  • 3Service account impersonation across applications
  • 4Issue custom JWTs to downstream services
03

Strengths & limitations

Strengths

  • Short-lived tokens limit leak impact
  • Supports service account impersonation for permission delegation
  • Combined with Workload Identity, enables zero long-lived secrets

Limitations

  • Only issues for existing service accounts — does not create identities
  • Default 1-hour token, max 12 hours
04

Example request

Generic template — replace <endpoint> with the real path from the docs.
curl https://google.com/<endpoint>
05

Getting started

POST /v1/projects/-/serviceAccounts/{sa-email}:generateAccessToken for an access token; generateIdToken for an OIDC ID token.

06

FAQ

What happens when a token expires?+

SDKs typically auto-refresh. Manual handling: re-issue within 5 minutes of expiry.

How do I revoke an issued token?+

Cannot directly revoke a single token. For immediate effect, revoke the SA's IAM permission — all tokens become invalid.

07

Technical details

CORS: NoHTTPS: YesSignup: ?Open source: No
Auth type
unknown
Pricing
unknown
Protocols
REST
SDKs
python, javascript, go, java
Response time
41 ms
Last health check
5/12/2026, 7:37:31 AM
08

Tags

google-cloudiam-credentialsshort-lived-tokensecurity
09

More from Google

View all from Google →
Admin SDK API

Google Workspace Admin SDK API programmatically manages Workspace organizations — users, groups, devices, domains, audit logs, organizational units.

AdMob API

Retrieve AdMob accounts, apps, ad units, ad sources, and generate mediation or network reports.

AdSense Host API

Work with AdSense Host accounts, ad clients, ad units, reports, and ad code generation from one API surface.

Apigee API

Programmatically manage Apigee organizations, API proxy deployments, attributes, certificates, and hybrid operations.

BigQuery API

Google BigQuery API is the REST interface to GCP's flagship data warehouse — execute SQL queries, manage datasets/tables, stream inserts, and use built-in ML.

Binary Authorization API

Control Binary Authorization attestors and policy checks for container images deployed to GKE and Anthos.

Business Profile Performance API

Fetch Business Profile location metrics, daily time series, and monthly search keyword impressions.

Calendar API

Google Calendar API lets apps create, read, and update calendar events programmatically — the go-to integration for scheduling apps.